CB Protection: Is the Agent Protected Against the Following Threats: DEP, ASLR, EAF, SEHOP, HEAP
search cancel

CB Protection: Is the Agent Protected Against the Following Threats: DEP, ASLR, EAF, SEHOP, HEAP

book

Article ID: 290985

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Is the CB Protection Agent protected against the following threats:
  1. Dynamic Data Execution Prevention (DEP)
  2. Address Space Layout Randomization (ASLR)
  3. Export Address Table Access Filtering (EAF)
  4. Structured Exception Handler Overwrite Protection (SEHOP)
  5. Heap Spray Allocations

Environment

  • CB Protection Agent: All Versions
  • Microsoft Windows: All Supported Versions 

Resolution

The listed exploits originate mostly from old Microsoft Vista OS, and their mitigations are now built in to Windows and can be enabled using GPO.

Additional Information

  • The CB Protection Agent will block any unapproved file that tries to execute if the Agent is on at least Medium enforcement.
  • It's important to emphasize that with modern operating systems, exploit mitigation is built in and the risk of allowing arbitrary files to execute on your machines without approval far exceeds that of getting exploited by an adversary with one of the mentioned techniques.
  • The threats listed are specific to anti-exploit mitigation techniques introduced in Windows Vista. These are typically enforced per application with something like Microsoft Windows Exploit Guard. For instance, by default in Windows 10, all of the Office applications, Edge, and a handful of OS binaries are protected with the aforementioned anti-exploit techniques.
  • A number of these techniques are part of application exploits in MSF. But with all code execution exploits you MUST have very specific application version requirements